Workers duped by simple CD ruse

Free holiday trick highlights security holes

By Jeremy Kirk | 14 March 06

To office workers trudging to their desks, the promotion looked like a chance at sweet relief from the nine-to-five grind.

By simply running a free CD on their computers, they would have a chance to win a holiday. But the beguiling morning giveaway in London's financial district last month was more nefarious than it appeared.

Like flies to rubbish, dozens of victims took the disc, unable to control the irresistible attraction of 'free'.

Secret agents behind enemy lines, the CDs piggy-backed through companies' physical security systems tucked in the bags and pockets of their couriers. The office workers dutifully took the CDs to their desks and plopped them in their employers' computers.

The mission was complete.

In the process, the CDs probably skirted an array of IT security systems in place to prevent malicious code from being installed. While the CDs did not contain malicious code, the exercise accomplished the point Robert Chapman wanted to make: people are misinformed about what actions could damage their computers or expose them to malware, adware and viruses.

"All these things are bypassed by human nature and curiosity and a level of ignorance and naivety," said Chapman, director of The Training Camp, a computer training and consulting business based in London, which came up with the idea. "The lure of a free holiday interests them more than the potential damage that they may make to their corporate network."

When a user ran the disc, the code on it prompted a browser window that opened a website, Chapman said. The site then tried to load an image from another website, Chapman said.

The number of people who opened the CD could be tracked by the number of times the image was accessed, he said. Users only saw an error message saying the page could not be loaded, he said.

"There is nothing clever about it, or illegal," Chapman said of the disc's code.

While the front of the CD contained a written warning to users to check their company's internal security guidelines before running the CD, as many as 75 of the 100 CDs were played. Chapman said they were able to trace IP addresses of those computers that tried to access the image and found that employees at two well-known insurance companies and a retail bank were among those duped.

Chapman declined, however, to identify the names of those businesses.

The experiment underscores what experts say is the weakest point for IT security: people. While many companies have policies and make their employees sign legally binding documents with rules of use for company computers, it's doubtful users get specific training on why those rules are in place, Chapman said.

Firewalls can block incoming hacking attempts, but most default firewall settings allow outbound traffic, Chapman said. If malicious code was already in the system, it may not be blocked by the firewall, allowing for the transmission of data from inside the computer, he said.

Chapman said he surprisingly didn't get any angry calls from rankled systems administrators. "I was half expecting something like that to happen, but I hope people realise that this is being done with a good heart," he said.